Edit tour

Windows Analysis Report
Payment Error.cmd.exe

Overview

General Information

Sample name:	Payment Error.cmd.exe
Analysis ID:	1596244
MD5:	9dac35c40e2d920ca69f23ba735da601
SHA1:	122f12f3cb93b5476bbe3140e3eb6bbe2dfdd5db
SHA256:	21214c5b0f0e85bf2b07948dad8992c07025e0c7d32117d34ad899bd1e8d3cbb
Tags:	exeuser-threatcat_ch
Infos:

Detection

ReverseShell, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected ReverseShell

Yara detected Snake Keylogger

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment Error.cmd.exe (PID: 1416 cmdline: "C:\Users\user\Desktop\Payment Error.cmd.exe" MD5: 9DAC35C40E2D920CA69F23BA735DA601)

Payment Error.cmd.exe (PID: 2544 cmdline: "C:\Users\user\Desktop\Payment Error.cmd.exe" MD5: 9DAC35C40E2D920CA69F23BA735DA601)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "omz@omzpnomatik.net", "Password": "Mustafa2023x", "Host": "mail.omzpnomatik.net", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1487c:$a1: get_encryptedPassword 0x14b68:$a2: get_encryptedUsername 0x14688:$a3: get_timePasswordChanged 0x14783:$a4: get_passwordField 0x14892:$a5: set_encryptedPassword 0x15f07:$a7: get_logins 0x15e6a:$a10: KeyLoggerEventArgs 0x15ad5:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1820c:$x1: $%SMTPDV$ 0x18272:$x2: $#TheHashHere%& 0x19851:$x3: %FTPDV$ 0x19945:$x4: $%TelegramDv$ 0x15ad5:$x5: KeyLoggerEventArgs 0x15e6a:$x5: KeyLoggerEventArgs 0x19875:$m2: Clipboard Logs ID 0x19a95:$m2: Screenshot Logs ID 0x19ba5:$m2: keystroke Logs ID 0x19e7f:$m3: SnakePW 0x19a6d:$m4: \SnakeKeylogger\
00000002.00000002.4583642550.0000000003227000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a0cc:$a1: get_encryptedPassword 0x16aafc:$a1: get_encryptedPassword 0x18b31c:$a1: get_encryptedPassword 0x14a3b8:$a2: get_encryptedUsername 0x16ade8:$a2: get_encryptedUsername 0x18b608:$a2: get_encryptedUsername 0x149ed8:$a3: get_timePasswordChanged 0x16a908:$a3: get_timePasswordChanged 0x18b128:$a3: get_timePasswordChanged 0x149fd3:$a4: get_passwordField 0x16aa03:$a4: get_passwordField 0x18b223:$a4: get_passwordField 0x14a0e2:$a5: set_encryptedPassword 0x16ab12:$a5: set_encryptedPassword 0x18b332:$a5: set_encryptedPassword 0x14b757:$a7: get_logins 0x16c187:$a7: get_logins 0x18c9a7:$a7: get_logins 0x14b6ba:$a10: KeyLoggerEventArgs 0x16c0ea:$a10: KeyLoggerEventArgs 0x18c90a:$a10: KeyLoggerEventArgs
00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x14da5c:$x1: $%SMTPDV$ 0x16e48c:$x1: $%SMTPDV$ 0x18ecac:$x1: $%SMTPDV$ 0x14dac2:$x2: $#TheHashHere%& 0x16e4f2:$x2: $#TheHashHere%& 0x18ed12:$x2: $#TheHashHere%& 0x14f0a1:$x3: %FTPDV$ 0x16fad1:$x3: %FTPDV$ 0x1902f1:$x3: %FTPDV$ 0x14f195:$x4: $%TelegramDv$ 0x16fbc5:$x4: $%TelegramDv$ 0x1903e5:$x4: $%TelegramDv$ 0x14b325:$x5: KeyLoggerEventArgs 0x14b6ba:$x5: KeyLoggerEventArgs 0x16bd55:$x5: KeyLoggerEventArgs 0x16c0ea:$x5: KeyLoggerEventArgs 0x18c575:$x5: KeyLoggerEventArgs 0x18c90a:$x5: KeyLoggerEventArgs 0x14f0c5:$m2: Clipboard Logs ID 0x14f2e5:$m2: Screenshot Logs ID 0x14f3f5:$m2: keystroke Logs ID
00000002.00000002.4583642550.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Payment Error.cmd.exe PID: 1416	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
Process Memory Space: Payment Error.cmd.exe PID: 1416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment Error.cmd.exe PID: 1416	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Payment Error.cmd.exe PID: 1416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5b6d7:$a1: get_encryptedPassword 0x5b922:$a2: get_encryptedUsername 0x5b506:$a3: get_timePasswordChanged 0x5b5e8:$a4: get_passwordField 0x5b6ed:$a5: set_encryptedPassword 0x5d5bc:$a7: get_logins 0x5d53d:$a10: KeyLoggerEventArgs 0x5d2ab:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Payment Error.cmd.exe PID: 1416	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5d2ab:$x5: KeyLoggerEventArgs 0x5d53d:$x5: KeyLoggerEventArgs 0x5daac:$x5: KeyLoggerEventArgs 0x5de0d:$x5: KeyLoggerEventArgs 0x5f635:$m2: Clipboard Logs ID 0x5f72c:$m2: Screenshot Logs ID 0x5f782:$m2: keystroke Logs ID 0x5f8b7:$m3: SnakePW 0x5f718:$m4: \SnakeKeylogger\
Process Memory Space: Payment Error.cmd.exe PID: 2544	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
Process Memory Space: Payment Error.cmd.exe PID: 2544	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment Error.cmd.exe PID: 2544	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Payment Error.cmd.exe PID: 2544	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ec09:$a1: get_encryptedPassword 0x3eeeb:$a2: get_encryptedUsername 0x3ea1f:$a3: get_timePasswordChanged 0x3eb1a:$a4: get_passwordField 0x3ec1f:$a5: set_encryptedPassword 0x410f5:$a7: get_logins 0x41058:$a10: KeyLoggerEventArgs 0x40cc3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Payment Error.cmd.exe PID: 2544	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x40cc3:$x5: KeyLoggerEventArgs 0x41058:$x5: KeyLoggerEventArgs 0x41625:$x5: KeyLoggerEventArgs 0x41986:$x5: KeyLoggerEventArgs 0x4329b:$m2: Clipboard Logs ID 0x43392:$m2: Screenshot Logs ID 0x433e8:$m2: keystroke Logs ID 0x4351d:$m3: SnakePW 0x4337e:$m4: \SnakeKeylogger\
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Payment Error.cmd.exe.400000.0.unpack	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
2.2.Payment Error.cmd.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Payment Error.cmd.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.Payment Error.cmd.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.Payment Error.cmd.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a7c:$a1: get_encryptedPassword 0x14d68:$a2: get_encryptedUsername 0x14888:$a3: get_timePasswordChanged 0x14983:$a4: get_passwordField 0x14a92:$a5: set_encryptedPassword 0x16107:$a7: get_logins 0x1606a:$a10: KeyLoggerEventArgs 0x15cd5:$a11: KeyLoggerEventArgsEventHandler
2.2.Payment Error.cmd.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c441:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b673:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baa6:$a4: \Orbitum\User Data\Default\Login Data 0x1cae5:$a5: \Kometa\User Data\Default\Login Data
2.2.Payment Error.cmd.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15667:$s1: UnHook 0x1566e:$s2: SetHook 0x15676:$s3: CallNextHook 0x15683:$s4: _hook
2.2.Payment Error.cmd.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1840c:$x1: $%SMTPDV$ 0x18472:$x2: $#TheHashHere%& 0x19a51:$x3: %FTPDV$ 0x19b45:$x4: $%TelegramDv$ 0x15cd5:$x5: KeyLoggerEventArgs 0x1606a:$x5: KeyLoggerEventArgs 0x19a75:$m2: Clipboard Logs ID 0x19c95:$m2: Screenshot Logs ID 0x19da5:$m2: keystroke Logs ID 0x1a07f:$m3: SnakePW 0x19c6d:$m4: \SnakeKeylogger\
0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa46fc:$a1: get_encryptedPassword 0xc512c:$a1: get_encryptedPassword 0xe594c:$a1: get_encryptedPassword 0xa49e8:$a2: get_encryptedUsername 0xc5418:$a2: get_encryptedUsername 0xe5c38:$a2: get_encryptedUsername 0xa4508:$a3: get_timePasswordChanged 0xc4f38:$a3: get_timePasswordChanged 0xe5758:$a3: get_timePasswordChanged 0xa4603:$a4: get_passwordField 0xc5033:$a4: get_passwordField 0xe5853:$a4: get_passwordField 0xa4712:$a5: set_encryptedPassword 0xc5142:$a5: set_encryptedPassword 0xe5962:$a5: set_encryptedPassword 0xa5d87:$a7: get_logins 0xc67b7:$a7: get_logins 0xe6fd7:$a7: get_logins 0xa5cea:$a10: KeyLoggerEventArgs 0xc671a:$a10: KeyLoggerEventArgs 0xe6f3a:$a10: KeyLoggerEventArgs
0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa52e7:$s1: UnHook 0xc5d17:$s1: UnHook 0xe6537:$s1: UnHook 0xa52ee:$s2: SetHook 0xc5d1e:$s2: SetHook 0xe653e:$s2: SetHook 0xa52f6:$s3: CallNextHook 0xc5d26:$s3: CallNextHook 0xe6546:$s3: CallNextHook 0xa5303:$s4: _hook 0xc5d33:$s4: _hook 0xe6553:$s4: _hook
0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa808c:$x1: $%SMTPDV$ 0xc8abc:$x1: $%SMTPDV$ 0xe92dc:$x1: $%SMTPDV$ 0xa80f2:$x2: $#TheHashHere%& 0xc8b22:$x2: $#TheHashHere%& 0xe9342:$x2: $#TheHashHere%& 0xa96d1:$x3: %FTPDV$ 0xca101:$x3: %FTPDV$ 0xea921:$x3: %FTPDV$ 0xa97c5:$x4: $%TelegramDv$ 0xca1f5:$x4: $%TelegramDv$ 0xeaa15:$x4: $%TelegramDv$ 0xa5955:$x5: KeyLoggerEventArgs 0xa5cea:$x5: KeyLoggerEventArgs 0xc6385:$x5: KeyLoggerEventArgs 0xc671a:$x5: KeyLoggerEventArgs 0xe6ba5:$x5: KeyLoggerEventArgs 0xe6f3a:$x5: KeyLoggerEventArgs 0xa96f5:$m2: Clipboard Logs ID 0xa9915:$m2: Screenshot Logs ID 0xa9a25:$m2: keystroke Logs ID
0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf2f2c:$a1: get_encryptedPassword 0x11395c:$a1: get_encryptedPassword 0x13417c:$a1: get_encryptedPassword 0xf3218:$a2: get_encryptedUsername 0x113c48:$a2: get_encryptedUsername 0x134468:$a2: get_encryptedUsername 0xf2d38:$a3: get_timePasswordChanged 0x113768:$a3: get_timePasswordChanged 0x133f88:$a3: get_timePasswordChanged 0xf2e33:$a4: get_passwordField 0x113863:$a4: get_passwordField 0x134083:$a4: get_passwordField 0xf2f42:$a5: set_encryptedPassword 0x113972:$a5: set_encryptedPassword 0x134192:$a5: set_encryptedPassword 0xf45b7:$a7: get_logins 0x114fe7:$a7: get_logins 0x135807:$a7: get_logins 0xf451a:$a10: KeyLoggerEventArgs 0x114f4a:$a10: KeyLoggerEventArgs 0x13576a:$a10: KeyLoggerEventArgs
0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xf3b17:$s1: UnHook 0x114547:$s1: UnHook 0x134d67:$s1: UnHook 0xf3b1e:$s2: SetHook 0x11454e:$s2: SetHook 0x134d6e:$s2: SetHook 0xf3b26:$s3: CallNextHook 0x114556:$s3: CallNextHook 0x134d76:$s3: CallNextHook 0xf3b33:$s4: _hook 0x114563:$s4: _hook 0x134d83:$s4: _hook
0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf68bc:$x1: $%SMTPDV$ 0x1172ec:$x1: $%SMTPDV$ 0x137b0c:$x1: $%SMTPDV$ 0xf6922:$x2: $#TheHashHere%& 0x117352:$x2: $#TheHashHere%& 0x137b72:$x2: $#TheHashHere%& 0xf7f01:$x3: %FTPDV$ 0x118931:$x3: %FTPDV$ 0x139151:$x3: %FTPDV$ 0xf7ff5:$x4: $%TelegramDv$ 0x118a25:$x4: $%TelegramDv$ 0x139245:$x4: $%TelegramDv$ 0xf4185:$x5: KeyLoggerEventArgs 0xf451a:$x5: KeyLoggerEventArgs 0x114bb5:$x5: KeyLoggerEventArgs 0x114f4a:$x5: KeyLoggerEventArgs 0x1353d5:$x5: KeyLoggerEventArgs 0x13576a:$x5: KeyLoggerEventArgs 0xf7f25:$m2: Clipboard Logs ID 0xf8145:$m2: Screenshot Logs ID 0xf8255:$m2: keystroke Logs ID
Click to see the 17 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T21:32:00.224972+0100	2803305	3	Unknown Traffic	192.168.2.6	49713	104.21.16.1	443	TCP
2025-01-21T21:32:01.578762+0100	2803305	3	Unknown Traffic	192.168.2.6	49717	104.21.16.1	443	TCP
2025-01-21T21:32:02.872946+0100	2803305	3	Unknown Traffic	192.168.2.6	49719	104.21.16.1	443	TCP
2025-01-21T21:32:04.215916+0100	2803305	3	Unknown Traffic	192.168.2.6	49723	104.21.16.1	443	TCP
2025-01-21T21:32:06.860171+0100	2803305	3	Unknown Traffic	192.168.2.6	49738	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T21:31:58.743446+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	132.226.247.73	80	TCP
2025-01-21T21:31:59.666998+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	132.226.247.73	80	TCP
2025-01-21T21:32:00.962222+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49715	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "omz@omzpnomatik.net", "Password": "Mustafa2023x", "Host": "mail.omzpnomatik.net", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Payment Error.cmd.exe	Virustotal: Detection: 51%			Perma Link
Source: Payment Error.cmd.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Payment Error.cmd.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Payment Error.cmd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49712 version: TLS 1.0

Source: Payment Error.cmd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Payment Error.cmd.exe, 00000000.00000002.4585296144.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, Payment Error.cmd.exe, 00000000.00000002.4583586670.0000000002F51000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ^value__Lambdaget_VisibleAreaSetVisibleAreaSystem.Windows.Mediaget_XMLSchemaget_SpaceAfterMemoryOperandCommaset_SpaceAfterMemoryOperandCommaSystem.Windows.DataMicrosoft.VisualStudio.Text.DataTDataget_Dataset_Dataget_ExtraDataget_HasExtraDataReadDataget_SearchDecompiledDataset_SearchDecompiledDataGetSerializedDataGetDeserializedDataget_SizeOfInitializedDataget_SizeOfUninitializedDataget_OldDataIResourceDataget_ResourceDataset_ResourceDataBuiltInResourceDataUserResourceDataGetResourceDataBinaryResourceDataReadImageDataGetImageDataCheckCanUpdateDataGetOrCreateDataget_CouldNotDeserializeDataget_BaseOfDataGetStartOfDataAddCustomDataOnCustomDataTryGetCustomDataClearDataget_HasDataGetObjectDataTryGetDataSetDataAddContentDataGetContentDataget_SizeOfRawDataget_PointerToRawDataget_NewDatadnSpy.Contracts.Metadataget_MetadataOverrideMetadataget_ContainsNoMetadataUIPropertyMetadataFrameworkPropertyMetadataget_DeltaPreprocessManipulationDeltaPostprocessManipulationDeltaBufferPositionToRvaget_Cbget_Tabget_ActiveTabset_ActiveTabCloseActiveTabGetOrCreateActiveTabget_IsActiveTabCloseAllButActiveTabget_DefaultIncrementalTabSelectPreviousTabget_DocumentTabset_DocumentTabTryGetDocumentTabSelectNextTabget_NewTabFollowReferenceNewTabget_OpenNewTabset_OpenNewTabOpenEmptyTabdnlib.DotNet.PdbLoadPdbIsCorLibdnlibmscorlibsbftbAffentoPub<>c source: Payment Error.cmd.exe
Source:	Binary string: dnlib.DotNet.Pdb source: Payment Error.cmd.exe

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 015FF1F6h	2_2_015FF007
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 015FFB80h	2_2_015FF007
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_015FE528
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_015FEB5B
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_015FED3C
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAF009h	2_2_05CAED60
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAC041h	2_2_05CABD98
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CA1011h	2_2_05CA0D60
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAB791h	2_2_05CAB4E8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CA0751h	2_2_05CA04A0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAE759h	2_2_05CAE4B0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CADEA9h	2_2_05CADC00
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CADA51h	2_2_05CAD7A8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAD1A1h	2_2_05CACEF8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAC8F1h	2_2_05CAC648
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAF8B9h	2_2_05CAF610
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CA1A38h	2_2_05CA1610
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CA1A38h	2_2_05CA1620
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CA1471h	2_2_05CA11C0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAC499h	2_2_05CAC1F0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAF461h	2_2_05CAF1B8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CABBE9h	2_2_05CAB940
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CA1A38h	2_2_05CA1966
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAEBB1h	2_2_05CAE908
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CA0BB1h	2_2_05CA0900
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CA02F1h	2_2_05CA0040
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAE301h	2_2_05CAE058
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAD5F9h	2_2_05CAD350
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CACD49h	2_2_05CACAA0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 05CAFD11h	2_2_05CAFA68
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D88945h	2_2_06D88608
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D86171h	2_2_06D85EC8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D85D19h	2_2_06D85A70
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D858C1h	2_2_06D85618
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D86E79h	2_2_06D86BD0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06D833B8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06D833A8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D86A21h	2_2_06D86778
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D865C9h	2_2_06D86320
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D80B99h	2_2_06D808F0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D80741h	2_2_06D80498
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D87751h	2_2_06D874A8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D872FAh	2_2_06D87050
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D802E9h	2_2_06D80040
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D85441h	2_2_06D85198
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D88459h	2_2_06D881B0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D88001h	2_2_06D87D58
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D80FF1h	2_2_06D80D48
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 4x nop then jmp 06D87BA9h	2_2_06D87900

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:63656 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49715 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49709 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49717 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49719 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49723 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49738 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49713 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49712 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003219000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.000000000320A000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003219000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.000000000320A000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003164000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003115000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Payment Error.cmd.exe, 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003219000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.000000000320A000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003139000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003219000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.000000000320A000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003164000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Payment Error.cmd.exe, 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003219000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.000000000320A000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003164000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Error.cmd.exe

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 0_2_0145D324	0_2_0145D324
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 0_2_07E987F8	0_2_07E987F8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015F6108	2_2_015F6108
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FC190	2_2_015FC190
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FF007	2_2_015FF007
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FB328	2_2_015FB328
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FC470	2_2_015FC470
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FC751	2_2_015FC751
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015F9858	2_2_015F9858
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015F6880	2_2_015F6880
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FBBD2	2_2_015FBBD2
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FCA31	2_2_015FCA31
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015F4AD9	2_2_015F4AD9
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FBEB0	2_2_015FBEB0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015F3570	2_2_015F3570
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FE517	2_2_015FE517
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FE528	2_2_015FE528
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_015FB4F2	2_2_015FB4F2
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA7D90	2_2_05CA7D90
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAED60	2_2_05CAED60
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA8460	2_2_05CA8460
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA3870	2_2_05CA3870
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CABD88	2_2_05CABD88
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CABD98	2_2_05CABD98
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAED50	2_2_05CAED50
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA0D51	2_2_05CA0D51
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA0D60	2_2_05CA0D60
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAB4D7	2_2_05CAB4D7
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAB4E8	2_2_05CAB4E8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA0490	2_2_05CA0490
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA04A0	2_2_05CA04A0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAE4A0	2_2_05CAE4A0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAE4B0	2_2_05CAE4B0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CADC00	2_2_05CADC00
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAD798	2_2_05CAD798
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAD7A8	2_2_05CAD7A8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CACEE9	2_2_05CACEE9
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CACEF8	2_2_05CACEF8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAC648	2_2_05CAC648
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAF600	2_2_05CAF600
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAF610	2_2_05CAF610
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAC638	2_2_05CAC638
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA11C0	2_2_05CA11C0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAC1E0	2_2_05CAC1E0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAC1F0	2_2_05CAC1F0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAF1A9	2_2_05CAF1A9
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAF1B8	2_2_05CAF1B8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA11B0	2_2_05CA11B0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAB940	2_2_05CAB940
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAE908	2_2_05CAE908
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA0900	2_2_05CA0900
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAB930	2_2_05CAB930
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAE8F8	2_2_05CAE8F8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA08F0	2_2_05CA08F0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAE04B	2_2_05CAE04B
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA0040	2_2_05CA0040
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAE058	2_2_05CAE058
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA3860	2_2_05CA3860
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA001C	2_2_05CA001C
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA73E8	2_2_05CA73E8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CADBF1	2_2_05CADBF1
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAD340	2_2_05CAD340
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAD350	2_2_05CAD350
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CACAA0	2_2_05CACAA0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAFA59	2_2_05CAFA59
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CAFA68	2_2_05CAFA68
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8B6E8	2_2_06D8B6E8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8AA58	2_2_06D8AA58
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8D670	2_2_06D8D670
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D88608	2_2_06D88608
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8C388	2_2_06D8C388
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8B0A0	2_2_06D8B0A0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D88C51	2_2_06D88C51
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8A408	2_2_06D8A408
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8D028	2_2_06D8D028
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8C9D8	2_2_06D8C9D8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D811A0	2_2_06D811A0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8BD38	2_2_06D8BD38
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8B6D9	2_2_06D8B6D9
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D85EC8	2_2_06D85EC8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D85EB8	2_2_06D85EB8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8AA48	2_2_06D8AA48
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D85A70	2_2_06D85A70
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D85A60	2_2_06D85A60
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8D661	2_2_06D8D661
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D85618	2_2_06D85618
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D85609	2_2_06D85609
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D88603	2_2_06D88603
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D86BD0	2_2_06D86BD0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D86BC1	2_2_06D86BC1
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8A3F8	2_2_06D8A3F8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D833B8	2_2_06D833B8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D833A8	2_2_06D833A8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D86778	2_2_06D86778
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8C378	2_2_06D8C378
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D86311	2_2_06D86311
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D83730	2_2_06D83730
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D86320	2_2_06D86320
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D808F0	2_2_06D808F0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D878F0	2_2_06D878F0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D808E0	2_2_06D808E0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D80498	2_2_06D80498
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D87497	2_2_06D87497
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D80488	2_2_06D80488
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D874A8	2_2_06D874A8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D87050	2_2_06D87050
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D87049	2_2_06D87049
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D80040	2_2_06D80040
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D82818	2_2_06D82818
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8D018	2_2_06D8D018
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D80011	2_2_06D80011
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D82807	2_2_06D82807
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D84430	2_2_06D84430
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8C9C8	2_2_06D8C9C8
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D85198	2_2_06D85198
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D81191	2_2_06D81191
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8518B	2_2_06D8518B
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D881B0	2_2_06D881B0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D881A0	2_2_06D881A0
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D87D58	2_2_06D87D58
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D80D48	2_2_06D80D48
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D87D48	2_2_06D87D48
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D87900	2_2_06D87900
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D80D39	2_2_06D80D39
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_06D8BD28	2_2_06D8BD28

Source: Payment Error.cmd.exe, 00000000.00000002.4585296144.0000000005F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000000.00000002.4584933560.0000000005880000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000000.00000002.4583586670.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000000.00000002.4583586670.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000000.00000002.4582578269.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000000.00000000.2117760056.0000000000C2A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFuzio.exe, vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe, 00000002.00000002.4582208823.0000000001167000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment Error.cmd.exe
Source: Payment Error.cmd.exe	Binary or memory string: OriginalFilenameFuzio.exe, vs Payment Error.cmd.exe

Source: Payment Error.cmd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment Error.cmd.exe.5880000.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Payment Error.cmd.exe.5880000.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@3/0@2/2

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Mutant created: NULL

Source: Payment Error.cmd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment Error.cmd.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment Error.cmd.exe, 00000002.00000002.4583642550.0000000003292000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000032E4000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4583642550.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Payment Error.cmd.exe, 00000002.00000002.4585143338.00000000040E9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment Error.cmd.exe	Virustotal: Detection: 51%
Source: Payment Error.cmd.exe	ReversingLabs: Detection: 31%

Source: Payment Error.cmd.exe

String found in binary or memory: <body>)

Source: unknown	Process created: C:\Users\user\Desktop\Payment Error.cmd.exe "C:\Users\user\Desktop\Payment Error.cmd.exe"
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process created: C:\Users\user\Desktop\Payment Error.cmd.exe "C:\Users\user\Desktop\Payment Error.cmd.exe"
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process created: C:\Users\user\Desktop\Payment Error.cmd.exe "C:\Users\user\Desktop\Payment Error.cmd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Payment Error.cmd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment Error.cmd.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Payment Error.cmd.exe

Static file information: File size 1339392 > 1048576

Source: Payment Error.cmd.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x146600

Source: Payment Error.cmd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Payment Error.cmd.exe, 00000000.00000002.4585296144.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, Payment Error.cmd.exe, 00000000.00000002.4583586670.0000000002F51000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ^value__Lambdaget_VisibleAreaSetVisibleAreaSystem.Windows.Mediaget_XMLSchemaget_SpaceAfterMemoryOperandCommaset_SpaceAfterMemoryOperandCommaSystem.Windows.DataMicrosoft.VisualStudio.Text.DataTDataget_Dataset_Dataget_ExtraDataget_HasExtraDataReadDataget_SearchDecompiledDataset_SearchDecompiledDataGetSerializedDataGetDeserializedDataget_SizeOfInitializedDataget_SizeOfUninitializedDataget_OldDataIResourceDataget_ResourceDataset_ResourceDataBuiltInResourceDataUserResourceDataGetResourceDataBinaryResourceDataReadImageDataGetImageDataCheckCanUpdateDataGetOrCreateDataget_CouldNotDeserializeDataget_BaseOfDataGetStartOfDataAddCustomDataOnCustomDataTryGetCustomDataClearDataget_HasDataGetObjectDataTryGetDataSetDataAddContentDataGetContentDataget_SizeOfRawDataget_PointerToRawDataget_NewDatadnSpy.Contracts.Metadataget_MetadataOverrideMetadataget_ContainsNoMetadataUIPropertyMetadataFrameworkPropertyMetadataget_DeltaPreprocessManipulationDeltaPostprocessManipulationDeltaBufferPositionToRvaget_Cbget_Tabget_ActiveTabset_ActiveTabCloseActiveTabGetOrCreateActiveTabget_IsActiveTabCloseAllButActiveTabget_DefaultIncrementalTabSelectPreviousTabget_DocumentTabset_DocumentTabTryGetDocumentTabSelectNextTabget_NewTabFollowReferenceNewTabget_OpenNewTabset_OpenNewTabOpenEmptyTabdnlib.DotNet.PdbLoadPdbIsCorLibdnlibmscorlibsbftbAffentoPub<>c source: Payment Error.cmd.exe
Source:	Binary string: dnlib.DotNet.Pdb source: Payment Error.cmd.exe

Source: Payment Error.cmd.exe

Static PE information: 0x8FB59FDE [Sun May 27 14:40:30 2046 UTC]

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA2E78 push esp; iretd		2_2_05CA2E79
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Code function: 2_2_05CA2840 push esp; retf		2_2_05CA2AC9

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Memory allocated: 15F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598386	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598280	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596126	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595502	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594031	Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Window / User API: threadDelayed 2009			Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Window / User API: threadDelayed 7826			Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7036	Thread sleep count: 2009 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7036	Thread sleep count: 7826 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598386s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -595502s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe TID: 7004	Thread sleep time: -594031s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598386	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598280	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596126	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595502	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Thread delayed: delay time: 594031	Jump to behavior

Source: Payment Error.cmd.exe, 00000002.00000002.4582693150.00000000013D6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Code function: 2_2_05CA7D90 LdrInitializeThunk,

2_2_05CA7D90

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Process created: C:\Users\user\Desktop\Payment Error.cmd.exe "C:\Users\user\Desktop\Payment Error.cmd.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Users\user\Desktop\Payment Error.cmd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Users\user\Desktop\Payment Error.cmd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment Error.cmd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected ReverseShell

Source: Yara match	File source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4583642550.0000000003227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4583642550.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Payment Error.cmd.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Payment Error.cmd.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR

Remote Access Functionality

Yara detected ReverseShell

Source: Yara match	File source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.Payment Error.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3ff69d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Error.cmd.exe.3fa81a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4582094960.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4583642550.0000000003227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4583916850.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4583642550.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment Error.cmd.exe PID: 2544, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Error.cmd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Payment Error.cmd.exe